Personal data protection as required by the General Data Protection Regulation (GDPR)
This information applies to the personal data collected by Medcom Sp. z o.o. as the personal data controller, the ways in which the data is used and the rights of natural persons related to collection and use of the data. Should you have any questions or comments, please contact us at info@medcom.com.pl.
To operate its business activity, the Controller collects and uses information which identifies natural persons (also referred to as “the personal data”), which includes information about the customers of Medcom Sp. z o.o.
As we are committed to protect your personal data, we want to inform you how the Controller collects, uses and retains the personal data, what the legal basis for the processing is, and what your rights and our obligations are as regards the processing.
Scope of information
This is to inform you about the forms of use of the personal data (“processing”) in Poland, in respect of natural persons including:
- the current or potential Customers of the Controller,
- the statutory representatives, attorneys or agents of customers and other persons whose data are processed for the purposes of issuing or paying for invoices in the course of cooperation with customers.
Categories of personal data
Data provided by the Customers
Our cooperation with the Customer, which may in particular consist of supply of devices manufactured by Medcom Sp. z o. o., cooperation intended to sell and advertise such products and cooperation by intermediaries, may give rise to the processing of the following personal data of the Customer:
- name and surname, business name, business address and mailing addresses,
- the numbers recorded on the relevant registers (such as the tax ID number (NIP) or the statistical ID number (REGON)),
- the personal Number PESEL,
- contact details, such as email addresses or phone and facsimile numbers,
- the position you hold in your organisation,
- the bank account number.
If a contract is to be concluded, provision of the data referred to above is voluntary, but necessary for the purpose of conclusion of the contract and its completion. Failure to provide the data may lead to incorrect cooperation or may prevent performance of the contract (e.g. if you do not provide your data, payment for an invoice may not be possible).
Data collected from other sources
We may obtain your personal data from publicly available sources such as business registers (business activity register - CEIDG, or the National Court Register - KRS) with the aim of verifying Customer-provided data. The scope of the processed data will then be limited to the data held in the relevant registers available to the public.
We can also collect your personal data from entities that employ you or which you represent. In this case, the scope of the processed data will include the information necessary to perform the contract between the Company and such an entity, e.g. information about termination of your employment with the entity, change of your contact data or change of your position.
We can also obtain your data from internal databases maintained by Medcom Sp. z o. o. This applies to data which enables us to contact individual Customers who have already purchased our devices - which includes requests for repairs.
Legal basis for personal data processing
We cannot process the personal data unless a valid legal basis exists. We therefore process the personal data only if:
- the processing is necessary to fulfil our contractual obligations to you if you are a party to a contract concluded with the Company or you place an order for the Controller’s devices.
- the processing is necessary for the purpose of fulfilling our legal obligations, e.g. the obligation to issue an invoice or other documents required by law, or we are expressly required to do so by law (this applies to situations where the Customer’s data is made available at the request of the competent authorities or courts);
- the processing is necessary for the Company or a third party to pursue legitimate interests, and it does not unduly affect your interests or fundamental rights and freedoms. Please note that when processing the personal data on this basis, we always strive to balance our legitimate interest and your privacy.
The “legitimate interests” include:
- conclusion and performance of contracts with Customers who are organisational units with no legal personality or legal entities,
- establishment or exercise of legal claims by the Company in the course of its business, as well as defence of such claims,
- verification of Customers in public registers,
- contacts with Customers, which includes keeping internal registers of Customer to enable the Company to contact them,
Purposes and periods of data processing
The personal data is processed only for a specific purpose and to the extent necessary to accomplish the purpose and as long as it is necessary. Presented below are the purposes pursued by the Company in the processing of personal data and the periods for which the data is processed.
Purpose of processing |
Period of processing |
Fulfilment of contractual obligations. |
Effective term of the contract between the Customer and the Company. |
Archiving data on the basis of generally applicable provisions of law, such as the Accounting Act and the Tax Ordinance Act. |
The period indicated in the relevant provisions; generally - 5 years from the end of the calendar year in which it took place, e.g. invoice issuance. |
Notwithstanding the above periods, your data may be processed by the Company for the purposes of establishment and exercise of claims by the Company as part of its business activity and defence of such claims for the appropriate periods of limitation of the claims, i.e. generally not longer than 6 years after the occurrence of the event resulting in the claim.
Personal data protection measures
All employees who have access to the personal data must respect the internal rules and processes related to the processing of personal data in order to protect it and ensure its confidentiality. They shall also be obliged to apply all technical and organisational measures implemented to protect the personal data.
We have implemented the appropriate technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, inappropriate use, disclosure of, or access to personal data and any other illegal forms of processing. These protection measures have been implemented taking into account the state-of-the-art technology, the cost of implementation, the risks involved in the processing and the nature of the personal data, with particular emphasis on sensitive data.
Personal data transfer
Personal data transfer within Medcom Sp. z o.o.
We can transfer your personal data to our employees, in particular the sales department employees.
Personal data transfer outside Medcom Sp. z o.o.
The data may be transferred to recipients and other third parties in order to accomplish purposes necessary for the performance of tasks contracted by the Company if required by the law or if the Company has any other legal basis. The recipients or other third parties may include:
- all national public administration authorities (e.g. the Police), the authorities of other EU Member States (e.g. bodies set up to protect the personal data in other Member States) or courts, if required by the applicable national or Union law or at their request,
- courier or postal service providers,
- transport and forwarding companies,
- other persons within the organisation of the Customer.
The processing of personal data takes place only insofar as it is necessary for the Company to operate. The Company controls the operation of such entities by means of the appropriate contractual clauses which protect your privacy.
Data transfer outside the European Economic Area
The personal data obtained by Medcom Sp. z o. o. is not processed in countries outside the European Economic Area.
Rights of the Customers and exercise of the rights
Your rights
- The right of access to personal data
Each person has a right of access to his/her personal data processed by the Company. If you consider that any information concerning you is inaccurate or incomplete, please submit a request for its rectification. The company shall immediately rectify such information.
- Withdrawal of consent
You have the right to withdraw your consent for the processing of your personal data if Medcom Sp. z o. o. has obtained such consent for processing (provided that the withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal).
- Right to erasure
The erasure of personal data shall be based on the provisions of the GDPR.
- Right to restriction of processing
The restriction of personal data processing shall be based on the provisions of the GDPR.
- Right to object
On grounds relating to your particular situation, to processing of your personal data (including profiling) if such processing is carried out in order to pursue a public interest or legitimate interests of the Company or a third party.
- Right to data portability
This means the possibility to obtain personal data submitted to the company in a structured, commonly used and machine-readable format and to request such personal data to be transmitted to another controller of personal data, without any hindrance from the Company and subject to its own confidentiality obligations. The company shall verify your requests or objections in accordance with the applicable personal data protection legislation. However, please note that these rights are not of an absolute nature; there are exceptions to their application.
In response to your request, the company may ask for verification of your identity or provision of information that will help the Company understand the situation better. The Company shall make every effort to explain its decision if your requests are not satisfied.
Exercising your rights
To exercise the above rights, please send an email message to info@medcom.com.pl, contact us by phone at tel.:+48 223144200 or by post at: ul. Jutrzenki 78A, PL 02-230 Warszawa with a note “Personal Data Protection”.
If you are not satisfied with the way the Company processes your personal data, please notify us thereof, and we shall investigate all inaccuracies. Please inform us of any doubts using the contact details provided above.
Should you have any objections to the Company’s response, you may lodge a complaint with the competent personal data protection authority, i.e. in Poland - the President of the Personal Data Protection Authority.
To keep the personal data up-to-date and accurate, we may periodically ask you to check and confirm your personal data we hold or to inform us of any changes regarding the personal data (such as a change of your email address). We encourage you to check on a regular basis the accuracy, currency and completeness of the personal data we process.